Can ipfw Rules Be Based On DNS Name
232 views
Skip to first unread message
Tim Daneliuk via freebsd-questions
Aug 11, 2021, 4:05:05 PM8/11/21
to FreeBSD Mailing List
I have used ipfw for years to configure access at the IP address level.
I now need to block a particular domain and all its subdomains from
accessing anything on the server. Is this possible using the top level
domain name rather than IPs (which appear to be fluid).
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
I now need to block a particular domain and all its subdomains from
accessing anything on the server. Is this possible using the top level
domain name rather than IPs (which appear to be fluid).
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Michael Sierchio
Aug 11, 2021, 4:26:18 PM8/11/21
to FreeBSD Mailing List
On Wed, Aug 11, 2021 at 1:05 PM Tim Daneliuk via freebsd-questions <
freebsd-...@freebsd.org> wrote:
> I have used ipfw for years to configure access at the IP address level.
>
> I now need to block a particular domain and all its subdomains from
> accessing anything on the server. Is this possible using the top level
> domain name rather than IPs (which appear to be fluid).
>
Generally, no. Also, specifically, no. There isn't a way of solving the
freebsd-...@freebsd.org> wrote:
> I have used ipfw for years to configure access at the IP address level.
>
> I now need to block a particular domain and all its subdomains from
> accessing anything on the server. Is this possible using the top level
> domain name rather than IPs (which appear to be fluid).
>
problem as you've articulated it.
You can block entire countries by IP block. You can block a company's
entire CIDR block if it has one allocated. Tables make this easy.
You can create a cron job to do a whois on incoming traffic (if you're
loggin it), and block if it's undesireable (add the block to your reject
table).
If you were concerned with outbound, rather than inbound traffic, I would
say sinkhole / blackhole DNS works.
Nathaniel Nigro
Aug 11, 2021, 5:30:43 PM8/11/21
to freebsd-...@freebsd.org
/etc/hosts.allow?
--
-=ND=-
-=ND=-
Tim Daneliuk via freebsd-questions
Aug 11, 2021, 5:43:35 PM8/11/21
to FreeBSD Mailing List
On 8/11/21 4:30 PM, Nathaniel Nigro wrote:
> /etc/hosts.allow?
Hmmmm and interesting possibility, actually. Thanks!
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
> /etc/hosts.allow?
Hmmmm and interesting possibility, actually. Thanks!
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
Tim Daneliuk via freebsd-questions
Aug 11, 2021, 5:49:03 PM8/11/21
to FreeBSD Mailing List
On 8/11/21 4:43 PM, Tim Daneliuk via freebsd-questions wrote:
> On 8/11/21 4:30 PM, Nathaniel Nigro wrote:
>> /etc/hosts.allow?
>
>
> Hmmmm and interesting possibility, actually. Thanks!
>
>
Well, actually, that's not going to work because host.allow is for TCP
> On 8/11/21 4:30 PM, Nathaniel Nigro wrote:
>> /etc/hosts.allow?
>
>
> Hmmmm and interesting possibility, actually. Thanks!
>
>
based connections and I'm already blocking everything from everywhere.
DNS uses UDP for query/replies.
Valeri Galtsev
Aug 11, 2021, 5:57:11 PM8/11/21
to freebsd-...@freebsd.org
On 8/11/21 4:48 PM, Tim Daneliuk via freebsd-questions wrote:
> On 8/11/21 4:43 PM, Tim Daneliuk via freebsd-questions wrote:
>> On 8/11/21 4:30 PM, Nathaniel Nigro wrote:
>>> /etc/hosts.allow?
>>
>>
>> Hmmmm and interesting possibility, actually. Thanks!
>>
>>
>
> Well, actually, that's not going to work because host.allow is for TCP
> based connections and I'm already blocking everything from everywhere.
> DNS uses UDP for query/replies.
it with different IPs all the time (cloudflare pops up in my mind, but I
may be wrong), then I do
whois [current domain's ip]
which reveals me whoever is hiding that domain, and all blocks of IPs
owned by them, Then I add to blocking table in ipfw all their address
ranges.
The one whom I learned it from said: if you block some good people, hm,
they need to know who they are in company with, and leave for better
company...
Valeri
PS I had to abandon ipfw, and switch over to pf, but that is different
story.
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Nathaniel Nigro
Aug 11, 2021, 7:38:11 PM8/11/21
to freebsd-...@freebsd.org
Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via
(interface) keep-state Doesn’t work?
(interface) keep-state Doesn’t work?
On Wed, Aug 11, 2021 at 4:05 PM Tim Daneliuk via freebsd-questions <
freebsd-...@freebsd.org> wrote:
--
-=ND=-
Tim Daneliuk via freebsd-questions
Aug 11, 2021, 8:19:08 PM8/11/21
to FreeBSD Mailing List
On 8/11/21 6:37 PM, Nathaniel Nigro wrote:
> Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via
> (interface) keep-state Doesn’t work?
> Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via
> (interface) keep-state Doesn’t work?
Not the way I want. At the time the rule is applied, (domain) is
resolved and replaced with a single IP address. I want to block
everything coming from any IP in that domain.
Or ... so I thought ... what is actually going on the deeper I look
is that the various scammer/spammer/sleazebags are representing themselves
as legitimate domain, hoping to forward their DNS requests through our
servers. We have that tightened down so these get rejected, but it does
make our logs very noisy:
11-Aug-2021 14:17:10.819 security: info: client @0x8032b3b60 51.89.223.6#55252 (pizzaseo.com): view external: query (cache) 'pizzaseo.co
m/RRSIG/IN' denied
I know of no way to stop this since these requests come from a large, and unpredictable
set of IPs.
Michael Sierchio
Aug 11, 2021, 8:20:54 PM8/11/21
to Nathaniel Nigro, freebsd-...@freebsd.org
On Wed, Aug 11, 2021 at 4:38 PM Nathaniel Nigro <nathani...@gmail.com>
wrote:
> Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via
>
No. You can add a rule for a FQDN, but that's only resolved at the time
you add the rule. It's just an IP address in the firewall ruleset.
You can maintain a table of addresses, and check that with a single rule.
You can add and delete CIDR blocks and IPv6 prefixes without changing the
ruleset or restarting the firewall. How you might do that is a non-trivial
problem. How do you find all the IP addresses associated with a particular
domain?
wrote:
> Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via
>
you add the rule. It's just an IP address in the firewall ruleset.
You can maintain a table of addresses, and check that with a single rule.
You can add and delete CIDR blocks and IPv6 prefixes without changing the
ruleset or restarting the firewall. How you might do that is a non-trivial
problem. How do you find all the IP addresses associated with a particular
domain?
Nathaniel Nigro
Aug 11, 2021, 8:27:15 PM8/11/21
to freebsd-...@freebsd.org
It was just a suggestion, I didn’t know this was coming from a range of
different ip addresses on the same domain. Is there any consistency ?
Can you use a range?/subnet?
different ip addresses on the same domain. Is there any consistency ?
Can you use a range?/subnet?
On Wed, Aug 11, 2021 at 4:05 PM Tim Daneliuk via freebsd-questions <
freebsd-...@freebsd.org> wrote:
--
-=ND=-
Nathaniel Nigro
Aug 11, 2021, 8:33:26 PM8/11/21
to freebsd-...@freebsd.org
If not, I might be out if suggestions:/
On Wed, Aug 11, 2021 at 8:26 PM Nathaniel Nigro <nathani...@gmail.com>
wrote:
> It was just a suggestion, I didn’t know this was coming from a range of
Doug McIntyre
Aug 12, 2021, 10:04:32 AM8/12/21
to freebsd-...@freebsd.org
On Wed, Aug 11, 2021 at 05:20:07PM -0700, Michael Sierchio wrote:
> You can maintain a table of addresses, and check that with a single rule.
> You can add and delete CIDR blocks and IPv6 prefixes without changing the
> ruleset or restarting the firewall. How you might do that is a non-trivial
> problem. How do you find all the IP addresses associated with a particular
> domain?
That's what I've done in the past, created a table referenced in IPFW,
> You can maintain a table of addresses, and check that with a single rule.
> You can add and delete CIDR blocks and IPv6 prefixes without changing the
> ruleset or restarting the firewall. How you might do that is a non-trivial
> problem. How do you find all the IP addresses associated with a particular
> domain?
then some sort of process that periodically checks the domain name
resolution, and updates the table if the IP addresses change.
Obviously, you are going to need to know what set of names they will
be coming from. It is unlikely that somebody would be coming from
*.lab.domain.com, its probably going to be much more likely to be from
some small set of DNS entries.
This is the way commercial firewalls work too. If you setup a policy
in a Fortigate based on FQDN, it will only periodically go through and
update the IP addresses based on FQDNs. There could be a period where the
refresh procedure hasn't kicked off yet, and somebody connects after a DNS update.
Reply all
Reply to author
Forward
0 new messages